This specification relates to identifying relationships between security metrics that estimate the security of a system of assets.
Each asset in a system of assets is a computer or other electronic device. A system of assets can be connected over one or more networks. For example, a home might have five assets, each of which are networked to each other and connected to the outside world through the Internet. As another example, a business might have three physically separate offices, each of which has many assets. The assets within each office and the assets across the offices can be connected over a network.
The security of a system of assets is derived from the risk that threats could attack different assets in the system. Each asset in the system of assets can be at risk from multiple threats at any given time. Each threat corresponds to a potential attack on the asset by a particular virus, malware, or other unauthorized entity. An attack occurs when the unauthorized entity exploits a known vulnerability of the asset in an attempt to access or control the asset. Some threats have known remediations that, if put in place for an asset, eliminate or reduce the risk that the threat will affect the asset. Some threats do not have known remediations.
The large number of threats and possible ways to remediate the threats can make it difficult for a system administrator to have a comprehensive view of the security on a given system. System administrators can use one or more of a large number of possible security metrics to quantify overall risk present in a system. However, security monitoring products often restrict which security metrics a security administrator can view. This can make it difficult for security administrators to develop a comprehensive view of system security that is tailored to the details of and requirements for their systems. Even if system administrators could use any security metric they wanted to when evaluating the security of their systems, it is difficult for system administrators to know which security metrics will provide the best overall picture of the security of their system.